GDPR: Privacy and security ‘by design’

• In effect by 25 May 2018, companies need to incorporate privacy safeguards to secure data
• Security and data protection move to "by design" as opposed to an after thought

WITH the EU's General Data Protection Regulation (GDPR) to protect data privacy coming into effect on 25 May this year, companies who think they may have been affected by this should already be laying the ground work to ensure that they are compliant. Be warned, the work to do so is not trivial.

Experts DNA interviewed estimate that the work of making a company compliant will take between three to six months.

Since the EU's data protection laws have long been regarded as a gold standard all over the world, other countries will likely use the GDPR as a benchmark for any update to their privacy laws in the future. As a result, it is clear that the onus is on companies to protect the consumer.

"Companies are now tasked to maintain compliance by providing EU nationals with clear, easily understood opt-in processes," explains Ian Yip (pic, right), chief technology officer, Asia Pacific at McAfee.

As a result, companies have to figure out how to implement the necessary technology and processes to secure users' personal data. Companies must be able to demonstrate how they have incorporated privacy safeguards, and should they fail, be prepared to promptly report breaches of personal data.

Users will also get the right to determine if their data is recorded and request companies to rectify and erase their personal data if they wish. "Under the GDPR, consumers are put in the driver’s seat," says Yip.

Preparing for GDPR

For some companies, letting the user take control of their own data may be a drastic change in culture, and making the change may seem daunting.

However Yip clarifies that preparing for GDPR compliance does not necessarily require large teams of experts. "It can however, be labour intensive," he cautions.

"Organisations still have to think about the business processes the GDPR affects, the breach detection processes it affects, the people who will operate that technology, and those individuals whose data is processed," Yip elaborates.

"Preparing for GDPR usually requires cross-functional teams across an organisation and many different levels of seniority," he says, adding that departments that are usually affected include legal, compliance, finance, technology, security and marketing.

Given the comprehensive nature of GDPR, it's important for companies to correctly assess what data they own. "You can’t protect what you don’t know you have," says Yip. "This is a good time for companies to figure out how and where they hold personal data – and not just that of EU residents, and not just for EU affiliates."

The emphasis is very much on "security by design", where issues of privacy and security are considered at the very beginning of the project, rather than implemented as an after-thought. There also needs to be regular reviews and testing of the all the precautions and procedures put in place.

"The hardest part of GDPR might actually be disclosing a data breach," warns Yip. While before, companies could disclose details of breaches at their own discretion, the GDPR mandates that breaches must be reported within 72 hours. "Disclosure of such data breaches might have several consequences, such as loss of reputation, a hit in share prices or even legal implications." 

A Malaysian example in readiness

One example of a Malaysian company that has had to make sure they are GDPR-compliant is Fusionex International, a company that specialises in Analytics, Big Data, Machine Learning and Artificial Intelligence and whose clients include Air France, KLM, Daimler and Jaguar.

"We became aware that the GDPR had been adopted in April 2016 by the EU Parliament," said Sharin Kaur Veriah, Fusionex Group Head of Legal. "Our first reaction was to check with our advisers."

Although the company already has policies and procedures in place with respect to data privacy, they needed to still assess the impact of GDPR. "The process was one that was relatively smooth due to the fact that we have already been adhering to other data privacy laws and frameworks," explains Sharin.

Her advice to other companies who intend to also become compliant is to "Lean inwards and seek guidance from your internal governance and legal team as well as external advisers," as well as to observe and learn from what other companies are doing.

Looking beyond the deadline

The focus for Fusionex now is to keep abreast of any developments once GDPR comes into effect. "We do need to monitor how the regulation is rolled out and the effect it has on businesses in the EU as well as the global IT community as a whole," says Sharin. "A noteworthy aspect would be how the authorities propose to implement the same throughout in the EU and outside the borders of the EU."

Yip agrees there is no guarantee way to know if a company is GDPR-compliant, given that there is currently no formal certification to say so. However, in the future, individual countries in the EU may establish their own forms of certification.

Yip suggests companies should see becoming GDPR-compliant as an opportunity. "Instead of merely checking off a list to make sure their organisation is compliant with GDPR requirements, organisations can use this as an opportunity to implement a culture of security and privacy by design," enthuses Yip.

"Organisations can explore implementing an entire framework that goes beyond GDPR and helps an organisation’s overall security posture as well."

Related Stories:

• GDPR: A problem you may not know about
• Singapore, global companies unprepared for GDPR compliance: EY
• 71% of organisations plan bold steps in creating a culture of GDPR-compliance